Azure Blob Storage

Azure Blob Storage connectors are secure gateways through which data can be moved in and out of the Platform using shared access signature (SAS) tokens. It is referred to as a data storage connector. The first step in creating this connector is setting up SAS tokens for storage containers and blobs to store the data you intend to access.

Microsoft has a comprehensive and publicly available guide for creating SAS tokens for your storage containers. SAS tokens provide secure, delegated access to resources in your Azure storage account.

Note: You must have access to a Microsoft Azure cloud account. See Create shared access signature (SAS) tokens for storage containers and blobs for more information.

Create the SAS Token and URL

To create the credentials required to use Azure Blob Storage:

  1. Go to your Microsoft Azure management console.

  2. Select the storage account and container.

  3. Open the Shared Access Tokens menu.

    • Tick all permissions.

    • Set the Expiry to a date in the future.
      Once this date has passed, this endpoint will no longer be accessible.

    • Click Generate SAS token and URL.

    • Copy the Blob SAS URL as this is required to create the endpoint in the Platform.

Now you are ready to connect your storage to the platform via a Connector, as shown here.

Create the Connector

  1. Click Manage on the Navigation bar.

  2. Select Connectors to view the Manage Connectors screen

  3. Click the Create Connector button at the top right

  4. Enter a Name for your Connector and a Description (optional)

  5. Choose Type > Azure Blob Storage.

  1. In the Shared Access Signature section:

    • Enter the Blob SAS URL.

    • (Optional) Insert a Blob prefix.

  2. Use the above access permissions instructions to add the displayed member details to your permissions tab.

  3. Add any Integration Metadata needed for programmatic integration.

  1. Click Create. Connection test will run and if successful, will show Connection Test Status as Successful.

  1. Click Close.

At-Source Tabular Assets

At-source cataloguing for tabular assets on object stores is supported on Databricks data planes from version 5.30. Operators can register and catalogue tabular assets directly from Azure Blob Storage without copying data into the platform.

  • At-source assets are catalogued directly from cloud storage — no data movement required.

  • Once catalogued, assets can be used in Spaces, Query, Export, and Data Sharing in the same way as on-platform assets. Please see the 'limitations' section below for details regarding the Data Sharing consumption feature.

This feature uses Harbr's per-dataplane Access Connector managed identity for authentication and requires the Enable At-Source toggle to be turned on when configuring the Azure Blob connector.

Note — ADLS Gen2 required. Hierarchical namespace (ADLS Gen2) must be enabled on the storage account. Flat namespace Azure Blob Storage is not supported for at-source via Unity Catalog External Locations.

How it works

Provisioning happens in two phases:

  1. Connector save — when the Enable At-Source toggle is turned on and the connector is saved, Harbr provisions a Unity Catalog Storage Credential (shared per-dataplane) and External Location in the Databricks data plane. The Access Connector MI Object ID is displayed on the connector view.

  2. Asset creation (DataSync) — when a producer creates a tabular asset from an at-source-enabled connector, the platform triggers a DataSync that provisions a Unity Catalog External Table at the asset's storage path.

Supported asset types

Format

Export

Delta Share

Views in Delta Share

Delta

✓ Yes

✗ Not yet supported

✗ Not yet supported

Parquet, ORC, Avro, CSV, JSON

✓ Yes

✗ No

✗ No

Operator setup

  1. In the connector form, enable the Enable At-Source toggle and save. No new form fields are required. The platform provisions a UC Storage Credential (shared per-dataplane) and External Location. The Access Connector MI Object ID is displayed on the connector view.

  2. In Azure Portal, navigate to your storage container → Access Control (IAM). Grant Storage Blob Data Contributor to the principal with the MI Object ID shown on the connector view.

  3. In Azure Portal, navigate to your storage account → Access Control (IAM). Grant Storage Blob Delegator to the same principal. This grant must be applied at storage account scope, not container level.

  4. Run Test Connector and confirm PASS before allowing producers to create assets.

Connection test

When the Enable At-Source toggle is on, the Test Connector function runs two probes:

  • Base probe — the existing Azure SAS connectivity check (unchanged).

  • At-source probe — validates the Unity Catalog Storage Credential and External Location. Returns typed outcomes: PASS, CREDENTIAL_TRUST_FAILED, STORAGE_ACCESS_FAILED, NOT_PROVISIONED, or DATAPLANE_NOT_READY.

Run Test Connector before creating any assets to catch credential misconfiguration early. See your operator for guidance if the at-source probe fails.

Limitations

  • Delta Sharing for at-source assets via the Azure Blob connector is not yet supported and will be available in a future release. Delta Sharing is currently supported for at-source assets via the S3 connector (Delta format only).

  • File / binary at-source is not included — this covers tabular assets only.

  • DataSync failure is terminal in v1. There is no user-initiated retry. If a DataSync fails, the recovery path is to decommission the asset and recreate it. Run Test Connector before creating assets to reduce this risk.

  • Schema evolution in place is not supported. If the storage path or schema changes, the asset must be decommissioned and recreated.

  • Disabling the Enable At-Source toggle retains the Unity Catalog Storage Credential and External Location — it does not revoke access to the storage. Full revocation requires deleting the connector in Harbr and removing the RBAC grant on the customer side.

  • Each storage location can only have one connector. If a connector already exists for a location, you must delete it before creating a new one.